Quick Links
Key Takeaways
- SIM swapping is a method hackers use to bypass two-factor authentication (2FA) by tricking phone companies into transferring a phone number to a new SIM card.
- SIM-swapping attacks are mainly financially motivated and cryptocurrency accounts have become popular targets due to the lack of chargeback options.
- If you suspect a SIM-swapping attack, take immediate action to secure your bank accounts and credit lines, change your passwords, and contact the police to file a report. Prevention includes using app-based authentication or physical security keys, rather than SMS-based 2FA.
You think you’re making all the right moves. You’re smart with your security. You have two-factor authentication enabled on all your accounts. But hackers have a way to bypass that: SIM swapping.
This Cybersecurity Awareness Week article is brought to you in association with Incogni.
What Is a SIM-Swap Attack?
There’s nothing inherently wrong with "SIM swapping." If you ever lose your phone, your carrier will perform a SIM swap and move your cell phone number to a new SIM card. It’s a routine customer service task.
The problem is hackers and organized criminals have figured out how to trick phone companies into performing SIM swaps. They can then access accounts protected by SMS-based two-factor authentication (2FA).
Suddenly, your phone number is associated with someone else's phone. The criminal then gets all text messages and phone calls intended for you.
Two-factor authentication was conceived in response to the problem of leaked passwords. Many sites fail to properly protect passwords. They use hashing and salting to prevent passwords from being read in their original form by third-parties.
Even worse, many people reuse passwords across different sites. When one site gets hacked, an attacker now has everything he needs to attack accounts on other platforms, creating a snowball effect.
For security, many services require that people provide a special one-time password (OTP) whenever they log in to an account. These OTPs are generated on the fly and are only valid once. They also expire after a short time.
For convenience, many sites send these OTPs to your phone in a text message, which has its own risks. What happens if an attacker can obtain your phone number, either by stealing your phone or performing a SIM swap? This gives that person almost unfettered access to your digital life, including your banking and financial accounts.
So, how does a SIM-swap attack work? Well, it hinges on the attacker tricking a phone company employee into transferring your phone number to a SIM card he or she controls. This can happen either over the phone, or in-person at a phone store.
To accomplish this, the attacker needs to know a bit about the victim. Fortunately, social media is filled with the biographical details likely to fool a security question. Your first school, pet, or love, and your mother’s maiden name can all likely be found on your social accounts. Of course, if that fails, there’s always phishing.
SIM-swapping attacks are involved and time-consuming, making them better-suited for targeted incursions against a particular individual. It’s hard to pull them off at scale. However, there have been some examples of widespread SIM-swapping attacks. One Brazilian organized crime gang was able to SIM swap 5,000 victims over a relatively short period of time.
A "port-out" scam is similar and involves hijacking your phone number by "porting" it to a new cellular carrier.
Who Is Most at Risk?
Due to the effort required, SIM-swapping attacks tend to have particularly spectacular outcomes. The motive is almost always financial.
Recently, cryptocurrency exchanges and wallets have been popular targets. This popularity is compounded by the fact that, unlike traditional financial services, there’s no such thing as a chargeback with Bitcoin. Once it’s sent, it’s gone.
Furthermore, anyone can create a cryptocurrency wallet without having to register with a bank. It’s the closest you can get to anonymity where money is concerned, which makes it easier to launder stolen funds.
One well-known victim who learned this the hard way is Bitcoin investor, Michael Tarpin, who lost 1,500 coins in a SIM-swapping attack. This happened mere weeks before Bitcoin hit its all-time highest value. At the time, Tarpin's assets were worth over $24 million.
When ZDNet journalist, Matthew Miller, fell victim to a SIM-swap attack, the hacker tried to purchase $25,000 worth of Bitcoin using his bank. Fortunately, the bank was able to reverse the charge before the money left his account. However, the attacker was still able to trash Miller's entire online life, including his Google and Twitter accounts.
Sometimes, the purpose of a SIM-swapping attack is to embarrass the victim. This cruel lesson was learned by Twitter and Square founder, Jack Dorsey, on August 30, 2019. Hackers hijacked his account and posted racist and anti-Semitic epithets to his feed, which is followed by millions of people.
How Do You Know an Attack Has Taken Place?
The first sign of a SIM-swapping account is the SIM card loses all service. You won’t be able to receive or send texts or calls, or access the internet through your data plan.
In some cases, your phone provider might send you a text informing you that the swap is taking place, moments before moving your number across to the new SIM card. This is what happened to Miller:
"At 11:30 pm on Monday, 10 June, my oldest daughter shook my shoulder to wake me up from a deep sleep. She said that it appeared my Twitter account had been hacked. It turns out that things were much worse than that.
After rolling out of bed, I picked up my Apple iPhone XS and saw a text message that read, 'T-Mobile alert: The SIM card for xxx-xxx-xxxx has been changed. If this change is not authorized, call 611.'"
If you still have access to your email account, you might also start to see strange activity, including notifications of account changes and online orders you didn’t place.
How Should You Respond to a SIM-Swapping Attack?
When a SIM-swapping attack happens, it’s crucial you take immediate, decisive action to prevent things from getting worse.
First, call your bank and credit card companies and request a freeze on your accounts. This will prevent the attacker from using your funds for fraudulent purchases. Since you’ve also effectively been the victim of identity theft, it's also wise to contact the various credit bureaus and request a freeze on your credit.
Then, try to "get ahead" of the attackers by moving as many accounts as possible to a new, un-tainted email account. Unlink your old phone number, and use strong (and completely new) passwords. For any accounts you're unable to reach in time, contact customer service.
Finally, you should contact the police and file a report. I can’t say this enough — you’re the victim of a crime. Many homeowner's insurance policies include protection for identity theft. Filing a police report might allow you to file a claim against your policy and recover some money.
How to Protect Yourself From an Attack
Of course, prevention is always better than a cure. The best way to protect against SIM-swapping attacks is to simply not use SMS-based 2FA. Fortunately, there are some compelling alternatives.
You can use an app-based authentication program, like Google Authenticator. For another level of security, you can choose to purchase a physical authenticator token, like the YubiKey or Google Titan Key.
If you absolutely must use text- or call-based 2FA, you should consider investing in a dedicated SIM card you don’t use anywhere else. Another option is to use a Google Voice number, although that isn’t available in most countries.
Unfortunately, even if you use app-based 2FA or a physical security key, many services will allow you to bypass these and regain access to your account via a text message sent to your phone number. Services like Google Advanced Protection offer more bulletproof security for people at risk of being targeted, "like journalists, activists, business leaders, and political campaign teams."
An unfortunate number of services only allow SMS or voice call based 2FA at this time, including many banks, so it is well worth being prepared for such an attack.